


Institutional Archive of the Naval Postgraduate School 


Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations 1. Thesis and Dissertation Collection, all items 


1999 


Autonomous agents for distributed intrusion 
detection in a multi-host environment 


Ingram, Dennis J. 


Monterey, California. Naval Postgraduate School 


http://ndl.handle.net/10945/8016 


Downloaded from NPS Archive: Calhoun 


Calhoun is the Naval Postgraduate School's public access digital repository for 


/ (8 D U DLEY research materials and institutional publications created by the NPS community. 
«ist : Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 


NY KNOX appointed — and published -- scholarly author. 

; | LIBRARY Dudley Knox Library / Naval Postgraduate School 

411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 





http://www.nps.edu/library 


DUDLEY KNOX LIBRARY 
NAVAL POSTGRADUATE SCHOOL 
MONTEREY CA 93943-5146" 





NAVAL POSTGRADUATE SCHOOL 
MONTEREY, CALIFORNIA 





THESIS 


AUTONOMOUS AGENTS FOR DISTRIBUTED 
INTRUSION DETECTION IN A MULTI-HOST 
ENVIRONMENT 


by 


Dennis J. Ingram 


September 1999 


Thesis Advisor: Neil Rowe 
Second Reader: Geoffrey Xie 





Approved for public release; distribution is unlimited. 





REPORT DOCUMENTATION PAGE Farm Apron 


OMB No. 0704-0188 


Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing | 
instruction, Searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of } 
| information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for | 
| reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis | 
Highway, Suite 1204, Arlington, VA 22202-4202, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) 
Washington DC 20503. 


1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED 
September 1999 Master’s Thesis 


4. TITLE AND SUBTITLE 5. FUNDING NUMBERS 
Autonomous Agents for Distributed Intrusion Detection in a Multi-host 


Environment 


6. AUTHOR(S) 
Ingram, Dennis J. 


7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 
Naval Postgraduate School 
Monterey, CA 93943-5000 






















8. PERFORMING 
ORGANIZATION REPORT 
NUMBER 













10. SPONSORING / 
MONITORING 
AGENCY REPORT NUMBER 


9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 







11. SUPPLEMENTARY NOTES 
The views expressed in this thesis are those of the author and do not reflect the official policy or position of the 
Department of Defense or the U.S. Government. 


12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE 
_ | Approved for public release; distribution unlimited. 
13. ABSTRACT (maximum 200 words) 


Because computer security in today’s networks is one of the fastest expanding areas of the computer industry, 
protecting resources from intruders is an arduous task that must be automated to be efficient and responsive. Most 
( intrusion-detection systems currently rely on some type of centralized processing to analyze the data necessary to detect an 
| intruder in real time. A centralized approach can be vulnerable to attack. If an intruder can disable the central detection 
system, then most, if not all, protection is subverted. The research presented here demonstrates that independent detection 
_ agents can be run in a distributed fashion, each operating mostly independent of the others, yet cooperating and 
| communicating to provide a truly distributed detection mechanism without a single point of failure. The agents can run | 
along with user and system software without noticeable consumption of system resources, and without generating an 
overwhelming amount of network traffic during an attack. 





14. SUBJECT TERMS 45. NUMBER OF 
Intrusion Detection, Artificial Intelligence, Autonomous Agents, Computer Security PAGES 


66 
16. PRICE CODE 





18. SECURITY CLASSIFICATION OF 49. SECURITY CLASSIFICATION OF 20. LIMITATION | 


(a 


17. SECURITY 


CLASSIFICATION OF ae tare ; ABSTRACT | OF ABSTRACT 
REPORT ncelassilie Unclassified UL 
Unclassified 

NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) 


Prescribed by ANSI Std. 239-18 





Approved for public release; distribution is unlimited. 


AUTONOMOUS AGENTS FOR DISTRIBUTED INTRUSION DETECTION IN A 
MULTI-HOST ENVIRONMENT 


Dennis J. Ingram 
Captain, United States Marine Corps 


A.S., Southeastern Louisiana University, 1984 


B.S., Park College, 1989 


Submitted in partial fulfillment of the 
requirements for the degree of 


MASTER OF SCIENCE IN COMPUTER SCIENCE 
from the 


NAVAL POSTGRADUATE SCHOOL 
September 1999 





ABSTRACT 


Because computer security in today’s networks is one of the fastest expanding 
areas of the computer industry, protecting resources from intruders is an arduous task that 
must be automated to be efficient and responsive. Most intrusion-detection systems 
currently rely on some type of centralized processing to analyze the data necessary to 
detect an intruder in real time. A centralized approach can be vulnerable to attack. If an 
intruder can disable the central detection system, then most, if not all, protection is 
subverted. The research presented here demonstrates that independent detection agents 
can be run in a distributed fashion, each operating mostly independent of the others, yet 
cooperating and communicating to provide a truly distributed detection mechanism 
without a single point of failure. The agents can run along with user and system software 
without noticeable consumption of system resources, and without generating an 


overwhelming amount of network traffic during an attack. 
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rs INTRODUCTION 


This thesis investigates using autonomous agents in a Windows NT network as 
intrusion-detection agents that act mostly independently yet share information. There are 
currently many intrusion-detection systems available, but most operate either on a 
separate computer monitoring the network traffic or as fully independent agents running 
on existing computers that report data to a central controller. My approach is to provide 
an agent that will run on some or all platforms in the network, and operate autonomously 
while at the same time cooperating with other agents to communicate threats throughout 


the network, to form a robust redundant detection system. 


A. BACKGROUND 


In the past decade, the Internet has grown from a fledgling network of computers 
to a multi million dollar industry. With everyone interconnected, the problem of security 
of information is a most definite concern. With all the information available on the 
Internet, intruders see the Internet as an easy opportunity for malicious mischief. 
Detecting an intruder in a network environment is hard for a human. The rates of data 
transfer and the amount of information flowing digitally through the physical media 
require an electronic means of surveillance. Even with a computer collecting the data, 
there is still too much information for a person to analyze and track in real time or even 
near-real time. 

To protect important systems from hackers, intrusion-detection systems are 
becoming more prevalent. Hundreds of intrusion-detection systems now on the market 
claim to protect your system. Most of these systems rely on centralized control and 
centralized analysis of data to determine if an intruder has entered the system. This 
centralized scheme of control is vulnerable since an intruder can disable or bypass it by 
attacking just one host. Many of these systems are single-host-based systems that sit on 
the network and monitor all traffic flowing through a segment. Other systems have 
multiple agents that reside throughout the network on separate hosts and report any 


abnormalities or alerts to a central repository for logging and analysis. Some programs 


have tried to combat the centralization of control by allowing multiple controllers, but 


this 1s not common. 


B. GOAL 


My goal is to determine, through experimentation, if multiple autonomous 
intrusion detection agents can act mostly independently, running on many servers and 
workstations in the network, and can collaborate to form a network protection grid with 
no single controller or point of failure, without overburdening the network or an 
individual workstation with network traffic. Disabling any agent should alert other 


agents in the system that there is a potential problem. 


C. THESIS ORGANIZATION 


Chapter II describes background and puts this research into perspective. It 
discusses types of detection systems and requirements for a good intrusion detection 
system. Chapter III discusses other work in this area that attempts to solve the problem. 
Chapter [V describes my intrusion-detection agent, its components, and how each 
component operates. Chapter V provides details of experiments and tests run on the 
system and the results of these tests. Chapter VI provides conclusions and future work 


expectations. 


I INTRUSION DETECTION 


A. BACKGROUND 


Intrusion detection is an absolutely essential part of today’s network-centric 
digital world. An intrusion into a computer system can be compared to a physical 
intrusion into a building by a thief: It is an entity gaining unauthorized access to 
resources. The unauthorized access is intended to steal or change information or to 
disrupt the valid use of the resource by an authorized user. Intrusion detection is the 
ability to determine that an intruder has gained, or is attempting to gain unauthorized 
access. An intrusion-detection system is a tool used to make this determination. The 
goal of any intrusion-detection system is to alert an authority of unauthorized access 
before the intruders can cause any damage or take any information, much like a burglar 
alarm system in a building. However, a digital computer system is far more vulnerable 
than a building and much harder to protect. The intruder can be hundreds of miles away 
when the attack is initiated, leaving behind very little evidence. 

Intrusions generally fall into two categories: misuse and anomalies. Misuse 
attacks exploit some vulnerability in the system hardware or software to gain 
unauthorized access. Many of these attacks are well documented and are easily detected 
by computer systems, but new ones are constantly being discovered. Anomalies are 
harder to detect since they often originate from an inside user who already has access to 
the system. They are characterized by deviations from normal user behavior, and 


detection requires some type of user profiling to establish a normal behavior pattern. 


B. TYPES OF DETECTION SYSTEMS 


There are several types of detection systems on the commercial market. These 


systems can be used individually or can be combined to provide more protection. 


oS) 


i Host-Based 


A host-based system resides on a single host computer. It uses audit logs or 
network traffic records of a single host for processing and analysis. This type of system 
is limited in scope since it is only able to see its own host’s environment, and cannot 


detect simultaneous attacks against multiple hosts. 


2: Network-Based 


A network-based system is a dedicated computer, or special hardware platform, 
with detection software installed. It is placed at a strategic point on a network (like a 
gateway or subnetwork) to analyze all network traffic on that particular segment. It can 
scan data traffic for known attack patterns. It can also determine Internet Protocol (IP) 
addresses that originate outside its subnet. This system can detect attacks against 
multiple hosts on a single subnet, but it usually cannot monitor multiple subnets at one 


time. It also cannot detect any host-based attack that does not pass through it. 


3. Distributed 


Distributed systems allow detection software modules to be placed throughout the 
network with a central controller collecting and analyzing the data from all the modules. 
This provides a robust mechanism for detecting intrusions across several subnets and 
several hosts. But it requires a dedicated computer to act as the central controller; 


centralization can make it vulnerable to attack. 


C; CATEGORIES OF ATTACKS 


Today’s hackers use several categories of attacks ranging from simple to very 


complex. The basic categories are listed in Table 1. 


One-to-one Attacker uses a single machine to attack a single target machine. 
Example: sendmail bugs. 


One-to-many Attacker uses a single machine to attack many targets. 
Example: probes, denial of service attacks. 


Many-to-one Attacker divides assault among multiple outside machines to attack a single 
victim. This is difficult to detect because multiple connections from 
multiple sources look more innocent than multiple connections from a 
single source. 
Example: SYN flood using IP spoofing to deny services. 


Many-to-many Many collaborating attackers divide the tasks of probing/attacking multiple 
victims. This poses the same challenge as the “many-to-one” case with the 
added complexity of multiple target machines. This kind of attack is very 
difficult to detect. 

Example: “Smurf” attack from multiple sources. 





Table 1: Attack Types (from DURST99) 


D. REQUIREMENTS FOR A DETECTION SYSTEM 


Joseph Barrus [BARRUS97] defined ten basic requirements for a good intrusion 


detection system: 


i? A system must recognize any suspect activity or triggering event that 
could potentially be an attack. 

2. Escalating behavior on the part of an intruder should be detected at the 
lowest level possible. 


Components on various hosts must communicate with each other 


>) 


regarding level of alert and intrusions detected. 


4. The system must respond appropriately to changing levels of alertness. 


Ws 


5. The detection system must have some manual control mechanisms to 


allow administrators to control various functions and alert levels of the 


system. 

6. The system must be able to adapt to changing methods of attack. 

fe The system must be able to handle multiple concurrent attacks. 

8. The system must be scalable and easily expandable as the network 
changes. 

oe The system must be resistant to compromise, able to protect itself from 
intrusion. 

10. The system must be efficient and reliable. 


E. SUMMARY 


The problems facing computer administrators are enormous and still increasing in 
scope. Protecting computer systems from attack must be automated to be efficient. 
There are programs available that perform adequately, but all seem to have the 
disadvantage of either being single-host or distributed with a central analysis point, which 
are both vulnerable. A completely distributed system with independent agents, each 
performing its own analysis and still coordinating with all other agents, might be the best 
design for a modern network. There would be no single point of failure, and an intruder 


would have to disable or bypass all the running agents to succeed. 


Il. OTHER WORK IN THE AREA OF INTRUSION DETECTION 


There are hundreds of systems available that perform intrusion detection, 
intrusion prevention, and system security checking. Many perform well and provide a 
robust detection mechanism, but few run in a fully distributed environment. Of those that 
are distributed, many are Unix-based systems and will not run on Windows NT 
platforms. There are fewer still that are portable between operating systems. 

The systems most similar to the one presented in this thesis all have one major 
difference from it, in that they are hierarchical in nature. This places the highest 
vulnerabilities at the upper level of the hierarchy. Degrading or disabling a top-level 
monitor would severely limit the detection capability of the system. None of these 


systems mention the use of an alert level to determine if an attack is in progress. 
A. ADAPTIVE INTRUSION DETECTION SYSTEM (AID) 


AID [SOBIREY99] is a client-server architecture that consists of agents residing 
on network hosts and a central monitoring station. Information is collected by the agents 
and sent to the central monitor for processing and analysis. It currently has implemented 
100 rules and can detect ten attack scenarios. The prototype monitor is capable of 


handling eight agents. This system currently runs only on UNIX-based systems. 
B. AUTONOMOUS AGENTS FOR INTRUSION DETECTION (AAFID) 


The AAFID architecture [ZAMBONI98] appears the most similar to the one | 
propose. AAFID is designed as a hierarchy of components with agents at the lowest level 
of the tree performing the most basic functions. The agents can be added, started, or 
stopped, depending on the needs of the system. AAFID agents detect basic operations 
and report to a transceiver, which performs some basic analysis on the data and sends 
commands to the agents. A transceiver may transmit data to a transceiver on another 
host. If any interesting activity takes place, it is reported up the hierarchy to a monitor. 


The monitor analyzes the data of many transceivers to detect intrusions in the network. A 


monitor may report information to a higher-level monitor. The AAFID monitors still 
provide a central failure point in the system. AAFID has been developed into two 
prototypes: AAFID, which had many hard-coded variables and used UDP as the inter- 
host communication, and AAFID2, which was developed completely in PERL and is 


more robust. They run only on Unix-based systems. 
C. COMPUTER MISUSE DETECTION SYSTEM (CMDS™) 


CMDS™ is a commercial product from Science Applications International 
Corporation (SAIC) [PROCTOR96]. It is a real-time audit reduction and alerting system 
that uses an expert system and statistical profiling to analyze audit records. The system 
uses distributed daemons running on host machines to monitor audit files. Information is 
sent to the CMDS central server for analysis by a rule-based expert system. It also uses a 
hierarchical architecture with several CMDS servers reporting to a higher CMDS system. 
It currently supports the operating systems SunOS, Windows NT, Solaris, Trusted 
Solaris, Ops Intel Workstation, Data General DSO, HP/UX, IBM LAN Server, Raptor 
Eagle Firewalls, ANS Interlock Firewalls, and SunOS BSM. This program appears to be 


robust across many platforms. 


D. EVENT MONITORING ENABLING RESPONSE TO ANOMALOUS LIVE 
DISTURBANCES (EMERALD) 


EMERALD [NEUMANNS99] is a system developed by SRI International with 
research funding from DARPA. The EMERALD project will be the successor to Next- 
Generation Intrusion Detection Expert System (NIDES). It is designed to monitor large 
distributed networks with analysis and response units called monitors. Monitors are used 
sparingly throughout the domain to analyze network services. The information from 
these monitors is passed to other monitors that perform domain-wide correlation, 
obtaining a higher view of the network. These in turn report to higher-level enterprise 


monitors that analyze the entire network. EMERALD is a rule-based system. The target 


Operating system has not been stated, but it is being designed as a multi-platform system. 
EMERALD provides a distributed architecture with no central controller or director; 
since the monitors are placed sparingly throughout the network, they could miss events 
happening on an unmonitored section. My approach is to employ agents on many hosts 


to attempt detection of all suspicious activity. 
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IV. HOST BASED AUTONOMOUS AGENTS 


A. INTRODUCTION 


Intrusion detection in a computer network is difficult. As detection mechanisms 
are designed and implemented, intruders discover new ways to infiltrate the system. Yet 
currently an intrusion detection system is the best way to protect your system from 
intruders. 

In designing my approach, I concentrated on agent communication and 
coordination. I did not try to incorporate extensive detection mechanisms into the code, 
as my goal was to determine decentralized agents could be designed to run and 
communicate without interfering with normal network and CPU operation. A related 
thesis by Stephen Kremer [KREMER99] deals with a broader range of intrusion and 


misuse phenomena in a network. 


B. SOFTWARE CHOICES 


The agent base design is implemented in Java® version 1.1.8 to enable it to be 
platform independent. Initial tests of the communications mechanisms were done on 
Windows NT 4.0 workstations and Windows NT 4.0 server and Linux version 5.2. 
Several trial runs were also conducted in a mixed environment with NT 4.0 workstation, 
NT Server, and Linux 5.2, running together. One problem discovered was that platform 
independence was difficult to achieve for an intrusion-detection system because many of 
the mechanisms used to detect intrusions, such as system logs and system alert facilities, 
are specific to a certain platform. For example, a collection of data from a system log is 
processed differently on a Windows NT platform than it is on a Linux or Sun® 


workstation. For this reason, 1 chose Windows NT as the single platform for final testing. 


Il 


C: AGENT DESCRIPTION 


I chose the name [DAgent because the agents were being designed for “Intrusion 
Detection” and also because the agents were supposed to operate “InDependently”. 

Figure 1 shows a simple block diagram of the [DAgent components needed for a 
single host. All major components of the agent are constructed as threads to allow them 
to run concurrently. The main components and data structures are: Controller module, 
TCP Receiver, UDP Receiver, TCP Transmitter, UDP Transmitter, Agent Window 


Manager, Host Sensor, Log Sensor, Message class, and Contact List of known agents. 


[DAgent Block 


Sensors 


= Controller 
Queue 
Alerts 
a Msg In Z 
Receiver Queue Known Agents List 
To Name:Addr:Port:ContactTime 


Other 


Avents On 
Transmitter e 
Queue 


Figure 1: [DAgent Block Diagram 


r Agent Window Manager 


The Agent Window Manager was written initially by Major Jim Breitinger to give 
a basic graphical window to display information for another project. I modified it to be 


used as a user interface with the [DAgent. It contains a display frame of 500 by 320 
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pixels for a text display area. The lower portion of the window contains an area with 
contro] buttons on a colored background of green, yellow, or red, depending on the 
current alert level of the IDAgent. The control buttons allow the generation of debug 
data for testing, the display of the current contact list of known agents, a display of alert 
messages that caused a change to the alert status, and a status which indicates a numerical 


value of the current alert level. 


2 Controller Module 


The controller is the brain behind the IDAgent. Once the main program initializes 
all variables and the Window manager is started, the Controller thread is started. The 
controller, as with almost all other threads, is in a suspended mode when there is no 
activity. Any activity in any sensor, receiver, transmitter, or Window Manager of the 
IDAgent will activate the controller to analyze the activity. Its primary purpose is to 
analyze incoming messages from other agents and internal sensors and determine if an 
intrusion is in progress. The controller updates the Alert status of the agent depending on 
the messages it receives. The Alert status can range from 0.0 to 1.0 and represents the 
likelihood that an intrusion is taking place. Alert levels of 0.0 to 0.4 will display a green 
indicator in the user display; 0.4 to 0.7 will show a yellow indicator; and above 0.7 will 
display red. 

The Alert level is increased depending on the “weight” of the message. All 
messages are initially sent with a weight value of 0.0; this prevents the message from 
affecting the alert level until the controller has analyzed the message. Once analyzed the 
message will either be saved for future reference or the weight and alert level will 
increase. Each message is analyzed when it arnves. If an attack is suspected, then an 
appropriate weight value is assigned to that message, which in turn increases the alert 
level of the IDAgent. If the message is not considered an attack, then the message weight 
remains 0.0. 

The normalized increase in the alert level, as shown in Figure 2, is inverse- 


exponential as the alert value increases. N = ((1.0 — A) * W) + A), where A = the current 
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alert level, W = the weight value of a message, and N = the new alert value. The alert 
level will approach 1.0 if many alerts are received. If no alerts are received within two 
transmit intervals (10 minutes in the current implementation), the alert level will decrease 
following a negative exponential curve, i.e, N = (A * Degradation Factor) where 
degradation factor is a fraction (0.9 in the current implementation). Figure 3 shows the 
decrease of alert level over time if no alerts are received. Eventually, the alert level will 


approach 0.0. 


Alert Value Changes for a given weight 
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Figure 2: Alert-Level Increase 
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Figure 3: Alert-Level Decrease 


If important information is received from an internal sensor, its agent’s controller 
will construct a message and send it to other agents in the network to notify them of an 
event or action that is taking place on its own host. Messages from another agent are not 
forwarded to other agents in the network to prevent duplicate message traffic. For an 
example, assume in a network of twenty computers that the agent on computer nine 
detects a failed login attempt. Its controller analyzes the attempt and constructs an alert 
message that is sent to all nineteen other computers. Now should the person attempt a 
login on another computer, it too would be detected and sent to all agents. 

The current implementation includes only basic intrusion capabilities for testing. 
It includes an external sensor written by Stephen Kremer [Kremer99] that scans the 


system logs for login attempts. The log sensor (section 11) is the internal interface 


- 
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between his program and the [DAgent that retrieves the login attempts. The attempts are 
passed to the agent where they are processed by the controller. The controller analyzes 
each failed login attempt and calculates a fraction of failed attempts as compared to the 
total attempts. This calculation is done both for attempts on a single host and the network 
as a whole. If either the host or network fraction reaches the threshold value for the 
agent, an alert message is constructed with a weight value of (fraction — threshold). To 
overcome the problem that occurs with small login ratios (1 login attempt and 1 failure is 
100% failure rate), the following formula is used to calculate the login-failure fraction: 
Fraction = (LoginFailures — 1 / TotalAttempts). Figure 4 shows the effect of this 


calculation. 


Weight Values of Login Failures 
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Figure 4: Login Failure Calculation 


Another internal sensor included in the agent is the host sensor, which uses the 
contact list of known agents to determine if an agent has stopped responding. The host 


sensor monitors how many remote agents have contacted it and checks to make sure they 
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are all still functioning (see section 9). If the number of agents not responding reaches a 


threshold, a message is sent to the controller. 


2) UDP Transmitter 


The Unreliable Datagram Protocol (UDP) Transmitter thread generates a UDP 
packet that contains the port number that the agent’s Transmission Control Protocol 
(TCP) receiver is listening on and identification of the local host on which it is running. 
It sends this packet as a broadcast message to the network on a port number determined at 
startup. This broadcast occurs every five minutes. The thread initiates the first contact 


and maintains the contact between all agents. 


4. UDP Receiver 


The UDP Receiver’s primary function is to receive the UDP broadcast messages 
of other agents and process them. The broadcast port number by default is 8000. 
Although any unused port number may be designated at system startup, all agents in the 
network must be running on the same port number. The UDP Receiver establishes a 
listener on the given port and waits for a broadcast message from another IDAgent. Ifa 
message is not in the correct format, an exception is generated and the broadcast is 
discarded. Otherwise, a contact record is created with the remote agent’s identifying 
information, the port number of its TCP receiver, and the time that the message was 
received. The contact record is placed in a list of known contacts that is used by the 
controller and transmitter when sending messages. Each time a broadcast is received, the 
new contact record is compared to the contact list. Ifa match is found, the timestamp and 
the TCP receiver port number of the original record are updated. The port number is 
updated in case an agent was restarted and is now listening on a different TCP port. The 
timestamp allows the controller to determine the last time that an agent contacted it to aid 


the host sensor in detecting a non-responding host. If an agent fails to broadcast for 3.5 
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transmit intervals, it is considered by other hosts to be non-responding and this may result 


in an alert being generated (see section 9). 


5. TCP Transmitter 


The Transmission Control Protocol (TCP) Transmitter thread sends messages 
between agents. A message contains information that an agent needs to report an attack. 
Since the delivery of such a message helps in the detection of an intruder, some guarantee 
of delivery must be expected. The Unreliable Datagram Protocol (UDP) Transmitter as 
the name implies does not provide such assurance, but the TCP protocol is connection- 
oriented and does [COURTOIS98]. Message composition is covered in more detail in 
section 7. In the current configuration, the transmitter will deliver any message to all 
known agents on the contact list. It establishes a connection with the remote agent’s TCP 


Receiver, transmits all currently available messages, and closes the connection. 


6. TCP Receiver 


The TCP Receiver thread picks a port to listen on that is not being used by any 
other components of the computer on which the agent resides. It returns this port to a 
global variable in the IDAgent so the UDP transmitter explained above will be able to 
access it to tell other agents which port the receiver is listening on. When a message 1s 
received, the TCP Receiver queues it for the controller in the message-in queue and 
continues listening for additional messages. A TCP socket connection must be 
established between two agents for the message transfer to take place. If a connection 
cannot be established, the sending agent should become aware of the problem and can 


report it to its own controller. 
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7. Message Class Data Structure 


A Message Class defines message objects that can be constructed and transmitted 
from one host to another. The class contains a message code, a data field for a 
description of the message, an identifier, a target address, a source address, a time stamp. 
and a message weight. The message code indicates why the message was sent. The 
string data field relates to the code and provides additional description of the code. The 
identifier supplies operands, if any, for the code. For example, if a message were for a 
failed login attempt, the identifier would store the account name. The target address is 
the Internet address and host name of the recipient. The source address is that of the 
current host. Each message is given a timestamp at origination. The message weight 1s 
the relative importance of the message as determined by the controller following the 
methods in section 2. In the current configuration of the IDAgent, the message size 1s 


787 bytes when the host name is eight characters. 


8. ContactList Class Data Structure 


The ContactList class is a data structure storing information about other known 
agents. It consists of an InetAddress, a port number, and a timestamp. The InetAddress 
is a Java data type that contains the Internet address and host name of a remote host. The 
port number is the port that the remote host has a TCP receiver listening on. The 


timestamp contains the last contact time of a remote agent. 


9. Host Sensor 


The function of the host-sensor thread is to determine if any remote agents are not 
broadcasting using the UDP transmitter. It checks the contact list of known agents and 
compares the time of last contact to the current time. If the host has not responded, an 


alert message is generated and placed in the controller queue (see Figure 1). The 


he 


controller will calculate a message weight based on previous messages. It will then use 
the message weight, of this internally generated message, to determine if there is 
sufficient evidence to update the system alert level. The fraction of hosts not currently 
responding determines the weight, to limit false alerts when an agent is stopped or 
restarted by an administrator. The host sensor does not cause any external messages to be 
generated. It is assumed that each IDAgent will detect a non-responding host, and 


therefore external messages would be redundant. 


10. Alert Parser 


The alert parser thread is a utility thread that maintains the internal messages that 
the controller uses to detect intrusions. The alert parser runs approximately every thirty 
minutes or six broadcast intervals. It looks through a list of old alerts and discards any 
over twenty-four hours old. It scans a list of recent alerts and places any over twelve 
hours old into the old alert list. This allows the controller to run more efficiently when it 
only needs to scan recent events. For the current configuration, only the recent alerts are 
used for processing. The alerts over twelve hours old were included for future sensor 


capabilities and are not currently used. 


11. Log Sensor 


The log sensor is another independent sensor thread. LT Steven Kremer 
{Kremer99] wrote the log sensor that automatically retrieves all login attempts from the 
system log and passes them to the internal log sensor thread. This requires that the 
system audit capabilities be turned on. Once the log sensor is instantiated, it periodically 
checks to see if anything has been passed in. If a login was attempted, a message to the 
controller is generated indicating the time, type of attempt, the host that the attempt was 
made on, and the name of the account used for the attempt. The controller stores the 


message and analyzes all previous attempts to try to detect a pattern. The log sensor 
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currently only detects login attempts, but it could be modified to detect other system 


events. The log sensor does not perform calculations to adjust the weight of the message. 


D. SUMMARY 


The IDAgent has been designed 1n a modular fashion to allow easy incorporation 
of new functionality and changes to internal components. It contains transmitter and 
receiver components for the transmission of messages to other agents in the network and 
a controller component to analyze the messages received. Other threads provide 
rudimentary intrusion-detection facilities and permit analysis of the data traffic and 


functioning of the components. 
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Ne EXPERIMENTS 


A. INTRODUCTION 


To conduct experiments, a program was designed that uses some simple detection 
mechanisms along with all the necessary components to transmit and receive data over 
the Internet. The first test was performed in the early stages of code development. Only a 
basic agent skeleton with TCP Transmitter and TCP Receiver classes was used in order to 
make an initial determination of network overhead usage. Follow-on tests were then 
conducted with other parts of the agent operating to get the full effect on network and 
CPU utilization. Finally, simulated alert messages were sent to see how the agents 


reacted and what impact this reaction would have on CPU utilization of the host. 


B. RESTRICTED NETWORK TESTING 


Initial throughput testing of the IDAgent was conducted on a closed network of 
three Micron 166Mhz Pentium computers, each running the Windows NT 4.0 operating 
system as server or workstation. Two of the machines were configured as workstations 
with 32MB of RAM, and one was configured as a server with 64MB of RAM. To prove 
portability of the basic agent, tests were also performed on the same machines running 
the Linux operating system version 5.2. However, no other portions of the testing were 
done on Linux, and the results were only used to show portability of the agent to other 
platforms. 

The agents had no detection capabilities or message processing capabilities during 
the initial testing. Only the network-bandwidth utilization was compared. Using an 
Observer® network-packet “sniffer” (a software program used to capture and analyze 
information being transmitted over a network), I monitored the network to determine the 
average bandwidth utilization for the three agents on a 10Mbps Ethernet 10BaseT 
network. The bandwidth measurement includes usage resulting from network polling, 
broadcasts, and network overhead on both the Windows NT and Linux operating 


systems. The IDAgents were configured to send 5,000 static messages of approximately 


tO 
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% Utilization 


155 bytes each to each of the other agents. With three agents running, 45,000 messages 
or approximately 6.975 Megabytes of data was transmitted. The test was repeated three 


times to get an average transmit time. Figure 5 shows the results. 
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Figure 5: Network Bandwidth Utilization 


The transmission of 45,000 messages took approximately 110 seconds, and the 
average bandwidth never exceeded 10% of the 10Megabit Ethernet network. The results 
were very encouraging since it will rarely be expected that an agent will need to transmit 


5000 messages in such a short time. 
Cc. GENERAL NETWORK TESTING 

The second test was conducted on an open network in the Computer Science 
Department at the Naval Postgraduate School. The subnet J used is the same one used by 


most students, faculty, and researchers in the department. I used the same three 
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computers and added four additional workstations, all running the Windows NT 
operating system version 4.0 workstation. The IDAgent was fully configured and 
included login detection, as described in Chapter IV section C sub-section 11, and host 
failure detection as described Chapter IV section C sub-section 9. Any successful or 
unsuccessful login attempts generate a message from the agent sent to all other hosts that 
have the IDAgent running; a broadcast message is sent by each host at five-minute 
intervals to update the contact list of known agents. Some general assumptions were 
made for this test to determine what an adequate number of login attempts should be. We 
estimated the number of daily login alerts based on a ten-user network. We assumed 
each user performs a login approximately three times a day. We assumed each user locks 
the computer screen an additional four times a day, requiring a password to unlock it, and 
generating an authentication alert. Windows NT authenticates users on the network who 
map a drive to a shared resource, which also generates an authentication alert on login 
since the resource 1s still open during a screen lock. It 1s assumed for this scenario that 
each user maps two network drives: one for shared applications and one for a shared file 
storage location. An expected login failure rate of 15% is set as the threshold in the 
IDAgent to reduce false alerts. With these assumptions, a network of ten users will 
generate approximately 130 login alerts per day, which will average approximately 16.25 
logins per hour. Table 2 shows the expected login alerts and the acceptable login failure 


rate for other numbers of users. 
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Table 2: Estimated Login Alerts 
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Using the same network sniffer as in earlier testing, I monitored the network with 
no agents running for one hour to establish baseline utilization. I then ran seven 
IDAgents on the network for one hour, generating over 50 login alerts and producing 
over 400 message transmissions. This is three times more than the average number for an 
hourly period in my assumptions. 

Figures 6 and 7 show the average number of network packets per second, average 
number of broadcasts per second, and percentage of network-bandwidth utilization for 
the one hour period both with and without agents running. The average number of 
packets sent while the agents were running was actually slightly lower than without. The 
average number of broadcast messages increased slightly as expected; the average 
network utilization decreased slightly as shown in Figure 7, which was not expected. 
However, looking at the percentage of bandwidth used, the slight drop is insignificant 
when compared to the total bandwidth available. The “average maximum utilization” 
averages the peak bandwidth usage for each ten-second interval. This average went up 
slightly from 1.9 to 2.3, which indicates that the packet transmissions show more short 
bursts of data. From the data collected, it appears that the [DAgent has little effect on 
bandwidth consumption in an open network. During the one-hour time that the agents 
were running, approximately 64,000 packets were captured. Of those packets, only 5,391 
were from one of the computers running an IDAgent, which is about 8%. The remaining 


92% were from normal network activity. 
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Figure 6: Average Packets and Broadcasts 
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Figure 7: Percent Network Bandwidth Utilization 


D. CPU UTILIZATION TESTS 


Another test was conducted using the Windows NT performance monitor and 
logging tool. I was able to log and graph the CPU utilization over time with an IDAgent 
running to see its impact. I configured the performance monitor to log processor usage 
for user programs and started one [DAgent; no other user programs were running on its 
computer. An IDAgent was also started on another host and login alerts were generated 
from both computers. During the thirty-minute analysis period, approximately 20 alerts 


were generated. Figure 8 shows that the maximum CPU utilization of the agent was 
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8.145%. The average utilization over the entire period was 0.329%. There are several 


small usage periods, when the [DAgent was active in receiving and sending messages. 
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Figure 8: CPU Utilization 


E. SIMULATED ATTACK SCENARIOS 


Several scenarios were used to test the reaction of the IDAgent. Three computers 
were used. In the first scenario, all three computers had several successful logins from 
users; then one computer had a series of unsuccessful login attempts on a single account. 
In the second scenario, several successful login attempts were performed on each 
computer, followed by a series of unsuccessful attempts. In the third scenario, all three 
computers were used, and many rapid consecutive unsuccessful login attempts were 


made from a single administrator account on one machine. 


i Single-Target Attack 


After allowing all three agents to run for several minutes with no activity, two 
successful logins were made on each computer followed by an attack on machine three. 
The attacker produced six successive login failures. Table 3 shows the login attempts 
and reactions of the agents with their corresponding alert level changes. Machine three 
responded differently because its weight calculation was based on attempts being made 
on its own host, while the other two machine calculations were based on attempts 
throughout the entire network because the messages onginated from another machine 
(See Chapter IV, section 2 for calculation details). The result is a higher alert level on the 


machine where the attack is taking place. 
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Table 3: Alert Levels for Single Target Attack 











pa Multiple-Target Attack 


The second scenario was much like the first but with an attacker attempting to 
login on to all three machines simultaneously instead of just one. Table 4 shows the 
results of the test. The alert levels for all machines were very close together since login 
failures were spread across all hosts. The second machine reached a yellow alert level of 
0.423 on the twenty-first login attempt with three local failed attempts, four remote failed 


attempts, and fourteen successful logins. The remaining machines reached a yellow alert 
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level of 0.486 after two more attempts; one successful and one failure. A total of twenty- 


three logins were attempted; eight login failures and fifteen successful logins. 
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Table 4: Alert Levels for Multiple Target Attack 





3. Network Saturation Test 


The I[DAgent is designed to suspend transmission of messages for a short period 
of time if it comes under a repeated attack, to prevent a flood of network traffic from its 
own messages. To test this, three test machines were started and 40 rapid login attempts 
were made against an administrator account on a single host. After transmitting 25 
messages to the other agents, the IDAgent being attacked continued to log the attack, but 
it did not continue transmitting messages until five minutes after the attack had stopped. 
Agent response was successful: The attacked machine had an alert level of 1.0, the 


highest that can be reached, while both remaining agents had an alert level of 0.999. 
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F. SUMMARY 


Testing showed that neither CPU utilization nor network utilization were heavily 
loaded by the [DAgent. Even with over 50 login attempts within one hour, the network 
traffic, broadcasts, and processing did not interfere with normal computer and network 
operations. The IDAgent was also able to detect several scenarios of login attempts from 
both a single host and multiple hosts, and escalated the alert level of each agent 


appropriately. 


VI. CONCLUSION AND FUTURE WORK 


xs CONCLUSION 


This thesis has proposed distributed nonhierarchical autonomous agents as an 
intrusion-detection mechanism. Testing demonstrated that such use of an agent in this 


environment can be successful. 


B. REQUIREMENTS REVIEW 


We can assess our system in terms of the ten basic requirements for a good 


intrusion detection system listed in Chapter II: 


1. The System Must Recognize Suspect Activity of a Potential Attack 


The prototype system could effectively recognize failed logins, both on a single 
host and across distributed hosts. To recognize other types of activity, sensors would 
have to be written. The modular design of the [DAgent allows the straightforward 


integration of new sensors. 


a Escalating Behavior Should Be Detected at the Lowest Level Possible 


The requirement to detect an intruder at the lowest level possible is very 
subjective. Triggering an alert the instant a failed login occurs would generate a large 
number of false positive alerts; waiting until an attack is absolutely certain might be too 
late. The threshold values in the IDAgent allow the level of detection to be adjusted to 


meet requirements. I believe my IDAgent detected login attacks at an appropriate level. 


Ld 
Ld 


5 There Must Be Inter-host Communication Regarding Intrusions and 
Alert Levels 


The IDAgent program was designed specifically to meet this requirement. Its 
transmitter and receiver components are the means of communication, and the Message 


Class data structure carries the information between hosts. 


4. There Must Be Appropriate Response to Changing Alert Levels 


This requirement was not implemented in the current configuration of the 


IDAgent. 


5. The System Must Incorporate Manual Control Mechanisms for 


Admiunistrators 


The user interface for the IDAgent includes some control for debugging and 
determining the status of the agent. There are no controls for resetting thresholds or other 


parameters, but they could easily be added. 


6. The System Must Be Adaptable to Changing Methods of Attack 


This requirement was only partially met because only login sensors were written. 


Multiple sensors would be needed to detect changing attack methods. 


a The System Must Be Able to Handle Multiple Concurrent Attack 
Threads 


IDAgent is a multi-threaded application that is capable of detecting multiple 
attack scenarios. If multiple login attacks were taking place, the [DAgent should be able 


to detect all suspicious activity. 


8. The System Must Be Scalable and Easily Expandable 


This requirement is fully met by IDAgent. To scale to a large network, you 
simply start agents on the added hosts. Expandability is allowed through the modular 


design of the agent. 


ae The System Must Be Resistant to Compromise and Able to Protect Itself 


from Intrusion 


This is left as future work. Java® provides many built-in security features, 


though none were incorporated yet. 


10. The System Must Be Efficient and Reliable 


Determination of efficiency was one of the primary goals of this thesis and has 
been adequately achieved in this prototype. Network bandwidth consumption and CPU 


utilization were both tested. The system was reliable under our limited testing. 


C. FUTURE WORK 


Some of the following would provide for a more robust agent for future work and 


testing: 


1. Secure Message Transfer 


The current agent does not incorporate security or secure message handling to 
prevent blocking of messages or generation of false messages. Java® does provide built- 


in encryption mechanisms that could be used. 


Ze Agent Authentication 


How does one determine if an agent that is responding is really a trusted agent or 
a piece of malicious software used by a hacker? Some form of authentication should be 


used to ensure security. 


3. Agent Service 


Running the [DAgent as an application under Java required a few work-arounds 
during testing. If the [DAgent was running and the user logged off, the [DAgent would 
terminate leaving no protection. The answer to this problem is to run IDAgent as an NT 
service. This was done successfully; however, the user interface cannot be seen or 
accessed making it difficult to monitor the agent. These problems would have to be 


overcome to successfully use the agent in a live network. 
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4. Using Another Programming Language 


The version of Java used in this implementation is an interpreted language and as 
such runs much slower than an application written in a lower level language. Java was 
sufficient for prototyping and allowed rapid development of the communication portions 


of the agent. However, other languages should be researched. 


5. Response to Attack 


There must be a response to an attack or intrusion to prevent entry. The system 


should be reactive. 


6. Sensors 


The [DAgent tested here had limited sensor capability. It could detect user login 
attempts and when another agent was not responding. Other sensors could scan for 
network traffic patterns, known attacks, or other system log entries. The agent was 


written in a modular fashion to allow such sensor threads to be included easily. 


qf, Threshold Values 


The threshold values in the agent were set based on my knowledge of network 
administration. Testing on a live network would allow the adjustment of the threshold 


values to better match the nature of the users in the network. 


8. Configuration File 


A configuration file that would allow an administrator to change parameters, 
variables, and threshold values without modification of the IDAgent would be a 


beneficial addition to the system. 
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APPENDIX A: PROGRAM CODE 


* IDAgent is the main executable class of the java program. All global variables 


f 
' 


— 


* are defined here and all internal threads for other classes are initialized 

* and started here. The Agent is designed to run independently on a computer 

* transmitting and receiving messages to other known Agents as detections or 

* anomalies are sensed: 

* 

* @author Capt Dennis Ingram, USMC 

* @version Last Updated on, %G% 

* @since JDK1.1 

* @param portnum The port that the machine will be listening on 

* This is set at 8000 by default but may be changed 

=! by the user at startup. It must be the same for 
all agents 

* In your network. 

* 

“es 
IMmpOnt JavasLO.~, 
import java.net.*; 
import java.lang.*; 
IMpOLrt java.util. *; 
import java.awt.’*; 
import java.awt.event.’*; 
impoOLrt- java text. *; 
public class IDAgGenEa 

final static int TRANSMITINTERVAL = 300000; //5 minutes default transmit 
interval 
// static int TRANSMITINTERVAL = 60000; //1l minutes 
ja Static int TRANSMITINTERVAL = 30000; //30 sec 
final static double DEGREDATION = 0.9; // for degrading the alert 

level. 


final static int HOUR B600000; =/ /s i) shour 

final static int MINUTE = 60000; //1 minute 

final static String BROADCAST =. 2552255.255-255)- 

Static double AlertLevel = 0.1; //AlertLevel between 0.0 and 1.0 

static int TotalKnownAgents = 1; //How many Agents have been on the net 


count myself. 


static int TotalAlertMsgsRcvd Or 
static int TotalAlertMsgsSent = 0; 
static int TotalBcastRevd = 0; 
static int TotalBcastSent = 0; 
Static Date StartTime = new Date(); 
static Date EndTime = new Date(); 


// msgs coming in from other agents 
Static Vector MsgInQueue = new Vector(); 


// msgs going out to other agents 
Static Vector MsgOutQueue = new Vector(); 


// Internal msgs from sensors to the controller 
Static Vector ControllerQueue = new Vector(); 


//create a list of Known Agents. 
static Vector AgentList = new Vector(); 


Static AgentWindowMgr WinMgr; 
Stalve agent controller conuroller, 
Static TCPtransmit sender; 


//List of all lecal addresses 
static InetAddress[] LOCALADDRESSES; 
Statre int) TCeport.— s002; 


public static void main(String args[]) throws Exception { 
//parameters = portnumber to listen on 
//example: c:\java IDAgent [{portnum] (*portnum optional). 
IDE spPCEChUM = 0; 
try 
LOCALADDRESSES = 


InetAddress.getAl1IByName (InetAddress.getLocalHost() .getHostName () ); 


portnum = Integer.parseInt(args[0}); //get a port for 
UDPreceiver 


catch (java.net.UnknownHostException e) {} 
catch (java.lang.ArrayIndexOutOfBoundsException e) { 
portnum = 8000; // if not set, use default 8000 


try { 


WinMgr = new AgentWindowMgr (portnum) ; 
WinMgr.addWindowListener (new CloseWindowandExit ()); 
Conreolicr — new agent COnErot ler), 

TCPreceiver listener = new TCPreceiver (portnum) ; 


SVStECM. CULE poelnel nt Conuroller ‘starting... 4) 
UDPreceiver 11 = new UDPreceiver(portnum) ; 
UDPtransmit tl = new UDPtransmit (portnum) ; 
SYStem. Out -printin(” receiver stanrting... )-; 

sender = new TCPtransmit(); 

System. out -printin ("transmitter staneing a: 

HostSensor hsl = new HostSensor(); //checks Status of known hosts. 

AlertParser apl = new AlertParser(); //checks Status of old Alerts. 


LogSensor l1sl = new LogSensor(); //check the sys log. 


} 
catch (Exception je) (System.cut.printin(” Main exception... " + e); 
el. printStackTracek ));} 
} //end main 
} //end class IDAgent 


[x* 

* A thread within the Agent that controls the flow of message traffic and contains 
* the logic for handling incoming and sensor data. This class is the brain 

* of the Agent. It continually monitors incoming messages from other Agents, and 
* messages from sensor threads and takes any necessary actions to notify the user 
* and other Agents in the network of anomalies. When there is no data to process 
iste 

* suspends until needed. 

* 

F eCauthor Capt Dennis Ingram, USMC 

* 

Bes 


class agent controller extends Thread { 
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dE 


QO. 


im 


final double MAXALERT = 1.0; 

final double HOSETHRESHOLD = . 35; 

final int MSGTHRESHOLD = 25; 

final double NETLOGINFAILTHRESHOLD = .15; 

final double HOSTLOGINFAILTHRESHOLD = .15; 

Date LastAlertTime = new Date(); 

//Vector for storing alerted msgs for use only by the controller. 
private Vector RecentAlerts = new Vector(); //within 12 hours old 
private Vector OlderAlerts = new Vector(); //over 12 hours old,purged daily 
private boolean StopSending = false; //flag on message sending. 
private int ResponseCnt = 0; 


agenGreenime lem) a4 
this Start. 
} //end agent controller constructor 


public Void rune iey 
D661] cane run lage aeecuc, 
ere ot 


while(run_flag) { 
if((System.currentTimeMillis() - LastAlertTime.getTime()) > 
(IDAgent.TRANSMITINTERVAL * 2)) { 
StopSending = false; //reset the flag if no alerts 


enerated. 
ResponseCnt = 0; //reset counter. 
//reduce alert level by Degredation factor 
IDAgent.AlertLevel=(IDAgent.AlertLevel * 
DAgent . DEGREDATION) ; 


if (IDAgent.AlertLevel < 0.05) 
IDAgent.AlertLevel = 0.05; //never go less than 


05 
LastAlertTime = new Date(); //when LastAlertTime is 


eached, reset. 

} //end if 

//check the alert status and change the window. 

double alrt = IDAgent.AlertLevel; 

tf (Glee mos 46 alrt <=] 0.4) { 
IDAgent.WinMgr.buttonPanel.setBackground(Color.green) ; 
IDAgent.WinMgr.buttonPanel.repaint(); 

} //end if 

if (alzt.> O-4ec56 alrt <= 0.77) sf 
IDAgent.WinMgr.buttonPanel.setBackground (Color. yellow); 
IDAgent .WinMgr.buttonPanel.repaint(); 

} //end if 

it (alr 0 Sc alr eel Oe 
IDAgent.WinMgr.buttonPanel.setBackground (Color. red) ; 
IDAgent.WinMgr.buttonPanel.repaint(); 

} //end if 

//I£f nothing to do now, suspend and wait for something to do. 

if (IDAgent .MsgInQueue.isEmpty() && 


IDAgent.ControllerQueue.isEmpty()) { 


currentThread().suspend(); //wait until called for. 
IDAgent.sender. resume (); 
} //end if 


synchronized (IDAgent.MsgInQueue) { 
if (!IDAgent.MsgInQueuve.isEmpty()) { //get a message for 


processing. 


Message inboundl = 
(Message) IDAgent .MsgInQueue. firstElement (); 


IDAgent .MsgInQueue. removeElement ( (Message) IDAgent .MsgInQueue 
.firstElement()); 


4] 


ProcessExt (inbound1) ; 
ver reveiel. alae 
} //end synch MsginQueue 
synchronized (iDAgent.ControllerQueue) { 
if (!IDAgent.ControllerQueue.isEmpty()) { //get a message 
for processing. 
Message localmsgl = 
(Message) IDAgent.ControllerQueue.firstElement (); 


IDAgent.ControllerQueue.removeElement ( (Message) IDAgent.ControllerQueue 
-ELEStCE lemene@); 
ProcessIint(localmsgl); 
boy end af 
} /send synch CO*/ 


} //end while runflag -- main controller loop 
} // end try 
catch (Exception e) {System.out.println("Controller exception.. " + e);} 


} //end run 


[/** 
* Processes all messages from an external source eg. another Agent. 
* @params inbound The reference to the message to process. 
mh 
private void ProcessExt (Message inbound) { 
LastAlertTime = new Date(); //update at each event. 
System.out.println("Processing message from another host " + inbound 


+ inbound.getWeight ()); 


synchronized(RecentAlerts) { 
RecentAlerts.addElement (inbound) ; 
} //end synch 
int codel = inbound.getCode(); 
if(codel == 529 || codel == 531) { 
ResponseCnttt+; 
inbound.setWeight(0.0); //reset the weight until evaluated by 
this agent. 
CheckLogins (inbound) ; 
} 
//Algorithm for increasing alert level. 
//result = ((1.0 - a) * x) + a; 
IDAgent.AlertLevel = (((MAXALERT - IDAgent.AlertLevel) * 
inbound. getWeight () ) 
+ IDAgent.AlertLevel) ; 
} //end method ProcessExt 


[** 
* Processes all messages or events received from internal sensors 
* eg. a failed logon attempt on the local machine. 
* @params localmsg The reference to the message to process. 
ay 
private void ProcessInt (Message localmsg) { 
//only internal alerts should generate output Messages for other 
Hosts. 
LastAlertTime = new Date(); //update at each event. 
System.out.println("Processing a local message " + localmsg + ":" 
+ localmsg.getWeight ()); 
synchronized (RecentAlerts) { 
RecentAlerts.addElement (localmsg) ; 
} //end synch 
if(localmsg.getCode() == 529 || localmsg.getCode() == 531) { 
//Failed login detected, check for other failures. 
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//if successful login detected, put in recent alerts. 
ResponseCnt++; 
CneckLogins (localmsg) ; 
}// end if 
if (localmsg.getCode() == 6) { 
ResponseCnt+t+; 
double sl = CheckHostStatus(); 
SYStem. Our. printin( Agents down = “ +.sl); 
7f (Sl 9> HOSTTERESHOLD) { 
localmsg.setWeight (sl); 
} // end ae sl; 
} // end if code == 6; 
System.out.printlin("Alert level is " + IDAgent.AlertLevel) ; 
IDAgent.AlertLevel = (((MAXALERT - IDAgent.AlertLevel) * 
localmsg.getWeight ()) 
+ IDAgent.AlertLevel); 
if (ResponseCnt > MSGTHRESHOLD) { 
StopSending = true; 
System.out.println("Stopped Sending messages temporarily"); 
//Premise is that if an agent iS sending more than a certian 
number of 
//messages in one TransmitiInterval, then something iS wrong. So 
stop 
//flooding the network. 
Las /end ach 
System.out.-printin("Changing Allert level by “+ 
localmsg.getWeight ()); 
System.out.printin("New Alert level is " + IDAgent.AlertLevel); 
if (localmsg.getCode() != 6 && !StopSending) { 
//1£ MSG 1s “NOStumot. responding’ ,adon't send msq=ro othe zs: 
//if StopSending flag set, don't send anymore messages right 
now. 
synchronized (IDAgent.MsgOutQueue) { 
IDAgent .MsgOutQueue.addElement (localmsg) ; 
IDAgent.sender.resume(); 
} // end synch 
} // end if 
} //end method ProcessInt 
7. * 
Processes the RecentAlerts list and purges the old contents to 
a new list called OlderAlerts. 
This assists in the determination of whether an Alert has already come 
in recently on a particular problem. 
It also purges any messages older than 24 hours from the OlderAlerts 


be pe Gy Pur 


Ines ts 
ai 
public void CheckForOldAlerts() { 
System. outeprinting (checking rtor old Alerts "); 
1£({/OlderAleres.asempty()) {'7/purge old messages 
Message ml = new Message(); // allocate ml 
for (Enumeration e = OlderAlerts.elements(); 
e.hasMoreElements();) { 
ml = (Message)e.nextElement (); 
if((System.currentTimeMillis() - 
ml.getTimeStamp().getTime()) > 
IDAgent.HOUR * 24) { //greater than 24 hours old 
synchronized(OlderAlerts) { 
OlderAlerts.removeElement (ml); 
} //end synch 
} /7 end ixet 
} //end for 
} // end if 


if (!RecentAlerts.isEmpty()) { // move non recent messages 
Message ml = new Message(); //allocate ml 
for (Enumeration e = RecentAlerts.elements(); 
e.hasMoreElements();) { 


ml = (Message)e.nextElement (); 
if((System.currentTimeMillis() - 
ml.getTimeStamp().getTime()) > 
(IDAgent.HOUR * 12)) { // move message to older Alerts 
Vist. 
synchronized(RecentAlerts) { 
OlderAlerts.addElement (ml) ; 
RecentAlerts.removeElement (ml); 
} //end synch 
} // end if 
}// end for 
} // end if 
} //end method CheckForOldAlerts () 
[** 
* This method is used when displaying the relevant alerts on the screen 
FOr the user. 
* @params code A code used for debugging. Under normal 
circumstances 
* only relevant messages are displayed. If 
the code is 
z set to 1 then all messages will be 
displayed for debugging 
ay, 
public void ShowAlerts(int code) { 
Message ml = new Message(); 
IDAgent .WinMgr.display("There are " + RecentAlerts.size() 
+ " Recent Alerts and " + OlderAlerts.size() + " Old Alerts"); 
IDAgent.WinMgr.display("Displaying relevant messages"); 
for (Enumeration e = RecentAlerts.elements(); e.hasMoreElements();) { 
ml = (Message)e.nextElement (); 
if (ml.getWeight() > 0.0 && code == 0) 
IDAgent.WinMgr.display(ml.toString());// print selected 
else 
SVStem. OUT. print ln (m2 ros emia (jee, (pel atc 
1/7 tend for 
System.out.println("There are ™ + OlderAlerts.size() + " Old 
Alerts) 


System.out.println("Displaying messages") ; 
for (Enumeration e = OlderAlerts.elements(); e.hasMoreElements ();) { 
ml = (Message)e.nextElement(); 
if(ml.getWeight() > 0.0 || code == 1) 
SVStem. out. print lim. tOSErIng());5//code 1 = print all. 
}// end for 


}// end method ShowAlerts() 


/ 


is found. If the number of hosts down is > the HOSTTHRESHOLD value then 
increase the alert level according to the percentage of down hosts. 
* It only runs a check when an alert to a down host is received. 
* @returns double The percentage of agents that are down. 
* @author Dennis J Ingram, USMC. 
a, 
public double CheckHostStatus() { 
int entr-= "0; 


* 

* This method checks the status of hosts when a host not responding message 
* 

* 
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Message ml = new Message(); //allocate mem for a new message. 
for (Enumeration e = RecentAlerts.elements(); e.hasMoreElements();) { 


ml = (Message)e.nextElement (); 
if (mil.getCode() == 6) { 
Entrt+, 
SVStenCuLt.printin(”"Check Host == Found 1°” + 


ml.getWeight()); 
feimi.gerWwergnt()) > 0.0) { 
cntr = 0; //reset, all previous already used. 
} // end if wt. 
} // end if code. 
}// end for 
ie enter 2 10)me 
//I have an alert I am processing, if there are more, use this 
one also. 
Gntrit, 
} 
SYSteMm. OWE: prInelo™ ener 1s ”“ + cntr + " Total agents is ~*~ + 
IDAgent .TotalKnownAgents) ; 
return (cntr/ (double) IDAgent.TotalKnownAgents); //return the 
percentage of down agents. 
}// end method CheckHostStatus. 


[** 

* This method performs all necessary checks on previous login attempts 

* to try to determine a pattern of intrusion. If a pattern is detected 

* on the current host or across multiple hosts, then a message is sent to 
* all Geherenosts te warnmwerethe intrusion. 

* @params mi The local message that was generated. 

* @author Dennis J Ingram, USMC 

* 


™ 


public void CheckLogins (Message inl) { 
boolean found = false; 
double TotalNetLoginAttempts = 0.0; 
double TotalHostLoginAttempts = 0.0; 
double NetLoginFailures = 0.0; 
double HostLoginFailures = 0.0; 
double PercentNetLoginFailures = 0.0; 
double PercentHostLoginFailures = 0.0; 
Vector LoginTable = new Vector(); //Temp Vector of User Login 
Failures. 
Message ml = new Message(); //allocate mem for a new message. 


for (Enumeration e = RecentAlerts.elements(); e.hasMoreElements();) { 


ml = (Message)e.nextElement (); 
int code = ml.getCode(); 
boolean local = false; 


for(int i=0;1i1 < IDAgent.LOCALADDRESSES.length;itt+) { 
if (ml.getFromAddress().getHostAddress().equals 


(IDAgent . LOCALADDRESSES [i]}].getHostAddress())) { 
local = true; 
Ley “end at 
}//end for 


Switch(code) { 
case 0 >: //A locally generated code. 
//reset all counters 
TotalNetLoginAttempts = 0.0; 
TotalHostLoginAttempts = 0.0; 
NetLoginFailures = 0.0; 
HostLoginFailures = 0.0; 


break; 
CaseteZbe- mw, 7, Ssuccessfule login 

PE local) { 
Syseem-out.printin(’ Code 528 local”); 
TotalHostLoginAttempts++; 
TotalNetLoginAttempts++; 

} //end if 

else { 
TotalNetLoginAttempts++; 

} //end else 


break; 
case 529 : //Failed Login 
Dt (Mec aes) 


Svstem OU printin ( Goede 529. local"); 
TotalHostLoginAttempts++; 
TotalNetLoginAttempts++; 
HostLoginFailures++; 
NetLoginFailures++; 

} //end if 

else { 
NetLoginFailures++; 
TotalNetLoginAttempts++; 

} //end else 

found = false; 

for(Enumeration el = LoginTable.elements(); 


el.hasMoreElements();) { 
LoginRecord rl = 


(LoginRecord)el.nextElement (); 
i1f(r1.Name.equals(ml.getID())) { 
eas es 


rl1.Machines.addElement (ml.getFrom()); //where attempt came from 
found = true; 
be / end. f 
}//end for 
ie (! round). { 
LoginRecord L2 = new LoginRecord(); 
L2.Name = ml.getID(); 
L2.Fail++; 
L2.Machines.addElement (ml.getFrom()); 
//where attemp came from. 
LoginTable.addElement (L2) ; 
b//endia ft! found) 
break; 
case 531 : //Acct Locked, Failed Login 
found = false; 
if(local) { 
System cut -printin(*Code 531 local”); 
TotalHostLoginAttempts++; 
TotalNetLoginAttemptst+; 
HostLoginFailures++; 
NetLoginFailures++; 
} //end if 
else { 
NetLoginFailurest++; 
TotalNetLoginAttempts++; 
} //end else 
for (Enumeration el = LoginTable.elements (); 


el.hasMoreElements();) { 
LoginRecord rl = 


(LoginRecord)el.nextElement (); 
if(rl.Name.equals(ml.getID())) { 


rl.Failt+t+; 
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r1l.Machines.addElement (ml.getFrom()); 
found = true; 


} // end at 
}//end for 
ietround) { 


LoginRecord L2 = new LoginRecord(); 
L2.Name = ml.getID(); 
L2.Fail++; 
L2.Machines.addElement (ml.getFrom()); 
LoginTable.addElement (L2); 
}//end if (!found) 
break; 
case 538 : //Successful Logoff 
//No action taken 
break; 
default 
break; 
}// end switch () 
}// end for 
PercentNetLoginFailures = (NetLoginFailures/TotalNetLoginAttempts) ; 
if (PercentNetLoginFailures-(1/TotalNetLoginAttempts) > 
NETLOGINFAILTHRESHOLD) { 
inl.setWeight ( (PercentNetLoginFailures- 
(1/TotalNetLoginAttempts) ) 
- NETLOGINFAILTHRESHOLD) ; 
System.out.printlin("New wt set Net%=" + PercentNetLoginFailures 


inl.getWeight()); 


PercentHostLoginFailures = 
(HostLoginFailures/TotalHostLoginAttempts) ; 
if ((PercentHostLoginFailures- (1/TotalHostLoginAttempts) > 
HOSTLOGINFAILTHRESHOLD) 
&& ((PercentHostLoginFailures-(1/TotalHostLoginAttempts) ) 
- HOSTLOGINFAILTHRESHOLD > inl.getWeight())) { 
inl.setWeight ( (PercentHostLoginFailures- 
(1/TotalHostLoginAttempts) ) 
- HOSTLOGINFAILTHRESHOLD) ; 
System.out.printlin("New wt set Host%=" + 
PercentHostLoginFailures + " wt=" + 
inl.getWeight()); 
} 
System.out.println("Total Login Attempts " + TotalNetLoginAttempts) ; 
SYStem. Cute Permeln ( Mora AtTrenPpEesmEntS iOSty. = + 
TotalHostLoginAttempts) ; 
System.out.printlin("Total Failed Logins " + NetLoginFailures); 
System.out.println("Total Failures this Host " + HostLoginFailures); 
// enumerate LoginTable and check for trends here. 
// Future work. 
}//end method CheckLogins. 


[** 
* This method defines the response that the controller will take toa 
specified 
* attack or alert. A response may range from turning on more enhanced 
MOnTEOringa 


* to shutting down the network interface for a period of time. 


* 


* @params response The response code representing the action to be 
taken. 
@author Capt Dennis Ingram, USMC 
até 
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public void Responder(int response) { 
Switch (response) { 
default 
break; 
}// end switch 
} // end method 
} //end class 


/** 
* Processes all incoming messages from other Agents and sends them to the 
* Controller for processing. Chooses a random port to listen on and informs 
* the broadcast mechanism to inform other Agents. 
* 
* @author Capt Dennis Ingram, USMC 
* @param portnum The port number that this TCPreceiver is to listen on. 
ay 
class TCPreceiver extends Thread { 
Mit spOrtnun, 
perversocket listen socket, 


TCPreceiver(int recport) { 
portnum = recport+2; 
EMTS aseake (ji, 
} 


BuUbbiC vord runt) 4 
boolean badport; 


do { 
badport = false; 
Gry a1 
do { 
IDAgent.TCPport = (int) (Math.random() * 10000); 
Jy white (LDAgGent = Terport < 91025); 
listen_socket = new ServerSocket (IDAgent.TCPport, 20) ; 
}) ‘catene ( Bindi xceptien em) bDadport = true; 
system.out.println("BadPort " + IDAgent.TCPport); } 
catch ( IOException e) { System.out.println (e);} 


} while (badport); 
pry 


while (true) { 


socket sock = listen_socket.accept(); 
ObjectInputStream is = new 
ObjectInputStream(sock.getInputStream()); 
try { 
while(true) { 
Message c = new Message(); 
c = (Message)is.readObject (); 
synchronized (IDAgent.MsgInQueue) { 
IDAgent .MsginQueue.addElement ( (Message) c) ; 
IDAgent.WinMgr.display("Rcvr Msg 


+ (Message)c + ": 
+ sock.getPort ()); 
IDAgent.TotalAlertMsgsRcvd++; 
} // end synch 
} //end while 

} //end try 

catch (java.io.EOFException ie) { } 

catch (java.net.NoRouteToHostException ie) { 
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System.out.printin("Computer Not Available " + 
InetAddress.getLocalHost()); 
} 
ise ciose(); 
Seer 1elose() ; 
IDAgent.Controller.resume(); 
} // end While (true) 
} //end try 
catch (Exception e) {System.out.printlin("Receiver exception .. " + 
Elina, 
fey fend mun 
} //end class TCPreceiver 
y * 
Receives and processes all broadcasts from other Agents. Maintains a list 
of Known Agents in the Local Network. 


i a, a, ae 2 


@author Capt Dennis Ingram, USMC 
* @param portnum The port that this receiver listens on for broadcasts. 
aed 

class UDPreceiver extends Thread { 

ime porcnum, 


UDPreceiver(int recport) { 
portnum = recport; 
ehas Staer ai, 

} 


puolile vod. rum (aa 
try { 
DatagramSocket listen_socket = new DatagramSocket (portnum) ; 
System.out pasar 'UDP=-=Listening on Port: ~ + 
Jisten socket .getLocalPorr)]; 


Whi Te SCE sie ja 1 
byte datal[] = new byte{4]; 


DatagramPacket pktl = new 
DatagramPacket (datal,datal.length) ; 

DiSteCMmoOckck receive (pPKEL);, 

IDAgent .TotalBcastRcvd++; 


ContactList cl = new 
ContactList (pkt1.getAddress(),Integer.parselInt ( 
new String (pktl.getData()))); 


synchronized (IDAgent.AgentList) { 
re (lel exists ()) 1 
IDAgent .AgentList.addElement (cl); 
IDAgent.TotalKnownAgents++; //keep track of 
total. 
bey fend if 
} //end Synchronized 


IDAgent.Controller.resume(); 
} // end While (true) 
Poy vend. Exry 
Catch Gava, 1o.EOFPEXcCept~Lion 2e)54 } 
catch (java.net.NoRouteToHostException ie) { 
System.out.println("Computer Not Available "); } 
catch (java.net.UnknownHostException ie) { 
System.out.println("Unknown Host rec " + ie); } 
catch (Exception e) { 
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Ssystem.out .println(“UDPReceiver exception .. " + e);} 
} //end run 
} //end class UDPreceiver 


[** 
* Responsible for transmitting all message traffic to other Agents in the network. 
* Suspends until the controller signals that there is traffic to send. Processes 
* all messages and sends them to all Known Agents in the Local Network. 

* 
* @author Capt Dennis Ingram, USMC 
*/ 
class TCPtransmit extends Thread { 
TEPtransmiec () 
Enis start (se 
} 


Dublie vore run.) 


Socket s = null; 
ObjectOutputStream out = null; 


Gry 4 
while(true) { 
eurrentinread() “suspend (jG wale, somesomet hing = to do- 
synchronized (IDAgent .MsgOutQueue) { 
synchronized(IDAgent.AgentList) { 
while(!IDAgent.MsgOutQueue.isEmpty() && 
!IDAgent.AgentList.isEmpty()) { 


for (Enumeration e = 
IDAgent .AgentList.elements(); e.hasMoreElements () ;) { 
ContactList cl = 
(ContactList)e.nextElement (); 
try { 
Ss = new 
Socket (cl .gqetHost (),ci- get Port); 
out = new 
ObjectOutputStream(s.getOutputStream()); 
IDAgent.TotalAlertMsgsSent++; 
for (Enumeration m = 
IDAgent .MsgOutQueue.elements(); 
m.hasMoreElements() ;) { 
Message templ = new 
Message(); 
templ = 
(Message)m.nextElement (); 


templ.setTarget (cl.getHost().getHostName()); 
templ.setFrom(); 
out.writeObject (templ) ; 
Cut. £lusa a 
} //end for more Messages 
out.close(); 
s.close(); 
} // end try 
catch (SocketException el) { 
SVstemsoue-prIimtin( Socket caught “ 
eee} 
} //end for more Agents. 
IDAgent .MsgOutQueue. removeAllElements () ; 
} //end While messages is not empty 
} //end AgentList synch 
} //end synch MsgOut 


IDAgent.Controller.resume () ; 
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} // end while 
} // end try 
catch (Exception e) { 
Sy seemeOurewrima@cin( TCPEransmit exception .. % + e) ;} 
} //end run TCPtransmit 
} // end class TCPtransmit 


[** 

* Responsible for periodically broadcasting to the network the host and port 
number 

* of the Agent. The broadcast 1s used by all other Agents to maintain the Known 
* Agents list and determine if an Agent is active. 
* 


* @author Capt Dennis Ingram, USMC 
* @param sendport The port that the Agent will transmit the broadcast message to, 


= all agents must be listening on the same port in 
the Local 

m Network in order to communicate. 

ad 


class UDPtransmit extends Thread { 
int Sendport; 


UDPtransmit(int sendon) { 
sendport = sendon; 
Chis start (); 

} 


Ppublie void run{() { 


try 4 
InetAddress al = InetAddress.getByName (IDAgent.BROADCAST) ; 
while(true) { 
DatagramSocket sl = new DatagramSocket(); 
byte dl[] = new byte[4]; 


di[0] = '8'; 
a Le =7 0"; 
aupZi—— oo 
asin 2"; 


String sZ = String. valuedO£ (IDAgent, TCPporte): 
dl = s2.getBytes(); 
DatagramPacket pl = new 
DatagramPacket (d1,dl.length,al,sendport); 
sl.send(pl); 
IDAgent.TotalBcastSent++; 
sl.close(); 
currentThread().sleep(IDAgent.TRANSMITINTERVAL) ; 
} // end while 
Jay? wena try 
catch (SocketException el) { 
SYStEM.OUt.printin("Socket caught» ” + el); } 
catch (UnknownHostException el) { System.out.printin("Unknown Host 
trans"); } 
catch (Exception e) { 
System.out.printin("TCPtransmit exception .. " + e);} 
} //end run UDPtransmit 
} // end class UDPtransmit 


{** 
* A class to hold login information and record counts for 
* all login attempts. Allows for tracking of unlimited user accts. 
* This class record will only be used to hold information temporarily while 
* the alert calculations are being made. 
ry, 
class LoginRecord { 


double Fail = 90; 
String Name = new String(); //user account used to attemp login 
Vector Machines = new Vector(); //list of machines attempted. 
[** 
* Constructorsror a Dlamkeogin srccord- 
* These records are only used temporarily in the checking of Login Failures 
AY, 
publTe LoginRecord (jase. 
public Stringweestring() { 
return (new String(Name + " Fail= " + Fail)); 
Pay vend tostring. 


}//end class LoginRecord 


[** 

* Provides storage fields and manipulation methods for an Agent Message, ensuring 
Enat 

* all messages sent and received have a common format. 

* @param Code Message code number 

* @param Data A string data message 

* @param Identifier A string identifier of the origin of the attack if known. 

* @param Target The target host to receive the message 

* @param From The sending host 

* @param TimeStamp The date/time the message was constructed. 

* @param Weight The weighted value that the message carries, the seriousness of 

* the message. Used to when calculating the 
AlertLevel. 

ae 


class Message implements Serializable { 


private int Code; 

private String Data; 

private String Identifier; 

private InetAddress Target; 

private InetAddress From; 

private Date TimeStamp; 

private double Weight; 

//Used for the data string 

Private String msgqliste| | == {Unknown Attache type”, 
"1 Successful Login Attempt", 
"2 Failed Login Attempt", 
"3 Invalid Login Attempt, 1 user, multi~-host", 
"4 Invalid Login Attempt, multi-user, 1 host", 
"> Invalad Login Attempt ,. muller -usen, emulti-=nese, 
"6 Agent Has Stopped Responding", 
"7 Test Message", 
"8 Test Message"}; 


{** 
* Constructor for a Message 
ay 
public Message() { 
Code = 0; // Default code 
Data = new String(msglist [Code] ); 


Identifier = new String(""); 
ene 
Target = InetAddress.getLocalHost(); //return address of 
localhost. 
From = InetAddress.getLocalHost(); //Initially set both to 
feecalnose. 
} catch (UnknownHostException e) { System.out.printin("Host not 
FOunad j753) 


TimeStamp = new Date(); 
Weight = 0.0; //default weight. 
} // end Message default constructor 


a2 


/** 
* Retrieves the Message code from a Message 
* @return Code 
ies 
public s2needeercdet) = | 
return Code; 
} //end getCode 


[** 
* Set the Code value for an existing Message, also sets the message 
* data string and the default Weight value for a message. 
* @param incode value to set the Code to. 
ai i 
public void setCode(int incode) { 
Code = incode; 
if (Code < msglist.length) { 
Data = msglist[Code]; 
Weight = 0.0; 
} 
else { 
Data = msglist[0]; 
Weight = 0.0; 
} 
} //end setCode 


/** 
* Gets the value of the Data String 
* @return this.Data 
i 4 
public String getData() { 
return this.Data; 
}//end getData. 


f x 
* Sets the value of the Data field when different than msglist 
* @param dl String to set data to 
ard 
pUbIIG voldysetDatavsering sd )> { 
Data = dl; 
}//end setData. 


[** 
* Sets the Identifier of the Message. 
* @param id The string value of the Identifier. 
av 
PlbttewvoOld SeclM i Sering 1dijee 
this.Identifier = id; 
}//end setID. 


[/** 
* Gets the Identifier String of the Message. 
* @return Identifier The string value of the Identifier. 
ay 
puUbEITe wo GmimGd -gerlp() 4 
return this.Identifier; 
}//end getID. 


[x* 
* Sets the Target value of a Message 
* @param hostname String value to set Target to 


air 


public void setTarget(String hostname) { 
eye 4 
Target = InetAddress.getByName (hostname) ; 
} 
catch (Exception e) {System.out.println(e);} 
} //end setTarget 


/** 
* Sets the From field of a Message to the current Local Host. 
wre 
public void setrrom() { 
Gaya 
From = InetAddress.getLocalHost (); 
} 
catch (Exception e) {System.out.println("“setFrom exception “™ + e);} 
} //end setFrom 


J*=* 
* Sets the From field of a Message to a specified Host. 
Fed: 
public void setFrom(InetAddress al) { 
From = al; 
} //end setFrom(InetAddress) 


| gies 
* Gets value of From field from a Message 
; seretien, string 
*/ 
DUDE Cebingegekrrom() 11 
PeCUEeEhins ~ Prom. Ost ring () ; 
} //end getFrom 


Hh ek 
* Gets InetAddress value of From field of a Message 
* @return InetAddress 
a 
public InetAddress getFromAddress() { 
FCEUrIM ENTS. From; 
} //end getFromAddress 


[** 
* Gets value of Target field from a Message 
* @Qreturn String 
sy | 
public String getTo() { //who is the packet going to. 
RebUrM this. lrergee. LOSETING |); 
} //end getTo 


/** 

. Gets the value of the Date field from a Message 
* @return Date; 

as 


public Date getTimeStamp() { 
return this.TimeStamp; 


} 


/** 
3 Sets the value of the TimeStamp to the current Time 
iP 
public void setTimeStamp() { 
this.TimeStamp = new Date(); 
} //end setTimeStamp. 
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[** 
* Sets the value of the TimeStamp to the Date/Time passed in 
* @param dl Date to set the time to. 
we 
public void setTimeStamp (Date dl) { 
this.TimeStamp = dl; 
}//end setTimeStamp. 


[** 
: Gets the value of the Weight assigned to the current message. 
= @return double; 
oe 


public double getWeight() { 
return this.Weight; 


} 


[** 

= Sets the Weight value of the current message. 
* @param wt The value to set the Weight to. 

7 


public void setWeight (double wt) { 
this.Weight = wt; 
} 


[/** 
* Overrides ObjJECEstocering () ~ 
wes 
public String “Gestring() 4 
String Sile= mew String(Code + " "“giehata + " “ + getrrom() 
te) eteamestamp st "© = + [dentiever ee + Welgit)- 


Betwrn Sli; 
} //end override toString 


} //end class Message 


[** 

* Contains the fields and methods for tracking and storing information about other 

* Known Agents in the Local Network. This information is used when transmitting 

* messages to other hosts. 

* 

* @author Capt Dennis Ingram, USMC 

* @param al InetAddress of another Agent on another host computer. 

* @param Portl The Port number of another Agent that you need to communicate 
with. 

* @param ContactTime The time stamp of the last broadcast received from an 
Agent. 

ue 


class ContactList { 


private InetAddress al; 
Private Int= -POrel; 
private Date ContactTime; 


[** 
* Constructor for a ContactList when passing in a String and a Port number 
* @param a A string name of the host contacting. 
* @param p An integer port number sent from the contacting host. 
27 
Publ te CenwacuLise (string a,int p) { 
ery 
al = InetAddress.getByName (a); 
Portl = p? 
ContactTime = new Date(); 
} //end try 


catch (Exception: e)as( System. out.printin( Conkack, listeexception.  =+ 


e) 7} 
} 7 /end=Gonstructor 
[** 
* ContactList constructor passing in an InetAddress and Port number 
* @param a An InetAddress of a Contact. 
* @param p The port number sent by the remote host. 
ard 
public ContactList(InetAddress a,int p) { 
ry. if 
al = a; 
FOrtl = p- 
ContactTime = new Date(); 
} //end try 
catch (Exception e) {System.out.println("Contact List exception2 " 
e);} 


| //end Constructor 


[** 
* Overrides Object.toString() 
“7, 

PublIewSEring  EoSEring (lad 


Strang sl = mew octring (al " 39 YP Portia... 2) CONnLaCE Lime): 
Letunm. sl; 
} // end toString override 


Vhs 
* Retrieves the InetAddress of a particular Contact. 
* @return InetAddress 
a, 
public InetAddress getHost() { 
return this .al; 
} //end getHost () 


[** 
* Retrieves the Port number of a particular Contact. 
* €return) int 
ay 
publAEG Ane getrors() Ft 
PeCUurn Ehas. Pore: 
} //end getPort() 


[** 
* Sets the port number of the current object to a specified port number 
“as 
DUbILIG  verd SerPorr Une pore) { 
thavs.Portl°= port; 
} //end setPort(); 


[** 
* Retrieves the time that an Agent last broadcast to the network. 
* @return Date 
my. 
public Date getDate() { 
return this.ContactTime; 
} // end getDate() 


[** 
* Updates a Contacts' last broadcast time. 
ae 
public void setDate() { 
ContactTime = new Date(); 
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} // end setDate() 


/** 

* Determines if a Contact is either already in the Known Agents list or 
* if the Agent is the Local Host computer. 

* @returns boolean 


“irs 
public boolean exists() { 
imteenocontact. — 0; 
for (Enumeration e2 = IDAgent.AgentList.elements() ; 
e2.hasMoreElements() ;) { 
ContactList ¢c2 = (ContactList)e2.nextElement (); 


LE (Enis selsvequals(c2.ai)). { 
c2.setDate(); // update the Agent.ContactTime. 
c2.setPort(this.Portl); //update the port number 
// in case the agent 
was brought down and back up 
return crue; 
} // endif 
}// end enum 
for(int 1=0 eee Agent LOCALADDRESSES.length;i¢++) ~{ 


if (this.al.getHostAddress().equals (IDAgent . LOCALADDRESSES [i] .getHostAddress ( 
))) { 
return true; 
} //endif 
} //endfor 
return false; 
}// end exists(); 


jay ena elass COntactlList 


/*«* 
x This class is the GUI interface that the user sees. It contains 
* a text area for messages and several buttons for performing debug 
* and information retrieval. 
i @author James Breitinger, Major, USMC. 
wef 
class AgentWindowMgr extends Frame implements ActionListener { 
// establish frame window area 
TextArea textAreal = new TextArea(); 
Button gettotal = new Button("Get Totals"); 
Button showagent = new Button("Agents"); 
Button alert = new Button("Alerts"); 
Button alertlvl = new Button("Status"); 
Panel buttonPanel = new Panel(); 
Color backgroundColor = Color.green; 


public AgentWindowMgr(int portl) 
{ 
//define window area 
super ("IDAgent: © + pore); 
$ecsize i500, 320); 
add(textAreal, BorderLayout.CENTER) ; 
buttonPanel.setBackground (backgroundColor) ; 
buttonPanel.setLayout (new FlowLayout (FlowLayout.CENTER,50,5)); 
buttonPanel.add(gettotal) ; 
buttonPanel.add(showagent) ; 
buttonPanel.add(alert); 
buttonPanel.add(alertlvl); 
add(buttonPanel, BorderLayout.SOUTH) ; 
gettotal.addActionListener( this ); 
showagent.addActionListener( this ); 


>! 


alert.addActionListener (this) ; 
alertlvl addActionbListener<enis)- 
setVisible (true); 
Yoyfend constructor 


public void actionPerformed(ActionEvent e) 
{ 
Object source = e.getSource(); 
boolean done = false; 
Cr ya 
if (source == gettotal) { 
SYVsSeenwouceprintin("’Total=Msgs Recvd * + 
IDAgent.TotalAlertMsgsRcvd) ; 
System.out.printlin("Total Msgs Sent " + 
IDAgent .TotalAlertMsgsSent) ; 
System.out.println("Total Bcast Recvd " + 
IDAgent.TotalBcastRcvd) ; 
System.out-printin(“Ttotal Beast Sent * + 
IDAgent.TotalBcastSent) ; 
System-out.printin(“Starte, Time =) + IDAgent .StartTime); 
IDAgent.EndTime = new Date(); 
System.out.printlin("End Time " + IDAgent.EndTime) ; 
IDAgent.Controller.ShowAlerts (1); 
} //end if submitmsg 
1f (source == showagent) { 
display("There are " + IDAgent.AgentList.size() + " 


known Agents."); 
for (Enumeration e2 = IDAgent.AgentList.elements(); 


e2.hasMoreElements ();) { 
ContactList cl = (ContactList)e2.nextElement (); 
display (cl -tostring (er 
}// end enum 
IDAgent.Controller.resume(); 
} // end if showagents 


if(source == alert) { 
IDAgent.Controller.ShowAlerts (0); 

} //end” is6 

if(source == alertlvl) { 
display("Current Alert Level is : ™ + 

IDAgent.AlertLevel); 
} //end if 
} //end try 


catch (Exception se) { System.out.println("“Action exception “™ + se);} 
} //end actionPerformed 
[** 
* Method called to display a string in the text area of the Window Manager. 
a] 
public void display(String s) { 
textAreal.append( s + "\n"); 
} //end display 
} //end class AgentWindowMgr 


fae 
* Remote Host sensor that detects when a host drops off line. 
* It will send an alert message to the current host controller 
* for each host that is down. 
* @author Dennis J. Ingram USMC 
ae 


class HostSensor extends Thread { 
HostSensor() { 


setDaemon(true); 
EhiLS.start ©); 
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} // endeeonstructor 
public sve Guna 


while(true) { 


SVstemacureprincin( Host Sensor Running. /."); 
Message ml = new Message(); 
for (Enumeration e2 = IDAgent.AgentList.elements(); 


eZ. hasMoreElements();) { 


ContactList cl = (ContactList)e2.nextElement (); 
if((System.currentTimeMillis() - cl.getDate() .getTime() ) 


(IDAgent.TRANSMITINTERVAL * 3.5)) { 
Svstem-Cuc.prantin( syseem down * + cl); 
ml.setCode (6); 
ml.setFrom(cl.getHost()); 
synchronized (IDAgent.ControllerQueue) { 
IDAgent.ControllerQueue.addElement (ml); 
} //end synch 
IDAgent .AgentList.removeElement(cl); // remove 
from List 
}//end 2 
}// end for 
tay yt 
IDAgent.Controller. resume (); 
currentThread() .sleep(IDAgent .TRANSMITINTERVAL) ; 
} catch (java.lang.InterruptedException e) { 
System.out.printlin(e) ;} 
} // end while 
} // end run 
}//end class HostSensor 


jx 

* This Thread runs periodically (every 6th broadcast interval) to 

F scan the RecentAlerts list@inm the Agent’ Controller for old msgs. 
If the messages are over 12 hours old, they are moved to the OlderAlerts list 
and are no longer processed under normal conditions. 

* @author Dennis J. Ingram USMC 

ay 
class AlertParser extends Thread { 


* 


* 


AlertParser() { 
setDaemon (true) ; 
thes .stare (jc: 

}// end Constructor 


publics voltd cunts 4 
while(true) { 
try { 


System.out.println("Parser Running..." + (new Date())); 
IDAgent.Controller.CheckForOldAlerts(); 
IDAgent.Controller.resume(); 
currentThread().sleep(IDAgent.TRANSMITINTERVAL * 6); 

} catch (java.lang.InterruptedException e) {} 

} // end while 
} // end run 
}//end class CheckAlerts 


[x 

* This Thread runs periodically (every 3rd broadcast interval, 15min) to 
* scan the Security Log and detect any problems that might be occuring. 
* If something is detected, new Alert messages are generated. 

* @author Dennis J. Ingram USMC 


o7 
class LogSensor extends Thread { 
Date LastProcessedTime = new Date(); 
LogSensor() { 
En’S.Stameise 
} //end LogSensor 


publive vo1d rune a 
File £1 = new Pile("e:\\secdata. log"); 


cry 
Process myProcess = Runtime.getRuntime().exec("bu_notify.exe"); 


} catch (java.io.IOException ee) { 
SyStem- out. princim(. £O Error starting the notify process”) ;} 
String Sl™= new Steingi).; 
while(true) { 
Enya 
SyVsteneeut,printin(” Log Sensor Running... "); 
FileReader frl = new FileReader (fl); 
BufferedReader brl = new BufferedReader (frl); 
while(brl.ready()) { 
sl = néw String (bri: readLine()); 
Logprocessing(sl); //to process the new log. 
}// end while 
bri -close(); 
Proc Lose (): 
fl.delete(); 
LastProcessedTime = new Date(); //update the last time 
read. 
IDAgent.Controller.resume(); //start up the controller 
when done. 
} catch (java.io.FileNotFoundException e) {} 
catch (java.io.IOException e) { 
System.out.printin("IO Exception 
BufferedReader") ; } 
Tey a 
currentThread().-sleep (IDAgent. TRANSMITINTERVAL) ; 
} catch (java.lang.InterruptedException e) {} 
} // end while 
} //end run 


* 


/ 


Logprocessing produces messages in the message class format from the 
strings that are read in from the log file. Each String is processed 
aS a new message. Each one is checked for validity and to see if it was 
processed previously. 

@param sl String parameter used to parse and create a message. 
i 

protected void Logprocessing(String sl) { 

Date dt3 = new Date(); 

StringTokenizer stl = new StringTokenizer(sl,","); 

String dtl = stl.nextToken(); 

String timely —"selenexeroken( ); 


* + €  F FF F 


int codel = (int) Integer.parseInt (stl.nextToken()); 
int code2 = (int) Integer.parseInt(stl.nextToken()); 
int code3 = (int)Integer.parseInt(stl.nextToken()); 
1f(codel '!= 528 && codel != 529 && codel != 531 && codel != 538 && 


codel != 539) 
return; // don't process anything if the codes don't match. 
String Account = stl.nextToken(); //temp 
String templ = stl.nextToken(); //temp 
String SourceCmptr = stl.nextToken(); 
Account = Account.toUpperCase(); 


60 


Semingedatez = new String(dtl + * " + timel); 
cry 4 
SimpleDateFormat df = 
(SimpleDateFormat) DateFormat. getDateTimeInstance(); 
df.applyPattern ("MM/dd/yy HH:mm:ss"); 
df.setLenient (true) ; 
dt3 = df.parse(date2) ; 
} catch (jJava.text.ParseException e) { 
System.out.println("Parse Exception " + e); } 
if(dt3.getTime() >= LastProcessedTime.getTime()) { 
Message ml = new Message(); 
ml.setTimeStamp (dt3); 
ml.setCode (codel) ; 
if(codel == 529 || codel == 531) 
ml.setData ("Login Failure"); 
ie (ecodel —— 528). { 
ml.setData("Login Successful"); 


pa / end wt 
ml.setID(new String(Account) ); 
if (codel == 528 }! codel == 529 ||] codel == 531) { 


synchronized (IDAgent.ControllerQueue) { 
IDAgent..ControllerQueue.addElement (m1) ; 
}//end synch 
V7 7 ena ert 
}// end if date >=() 
}//end Logprocessing() 
} //end class LogSensor 


/** 
* Class that cleans up after a Graphics window closes 
* Taken from Dietel Java Programming examples. 
of 
class CloseWindowandExit extends WindowAdapter { 
public void windowClosing( WindowEvent e ) 
{ 
try { 
Process myProcess = Runtime.getRuntime().exec("kill.exe 
bu notify.exe"™); 
} catch (java.io.IOException el) {} 
System.exit( 0 ); 
} 


} //end class CloseWindowandExit 


6] 
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